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Warnings 


■  Do  not  attempt  to  implement  any  of  the  settings  in  this  guide  without  first 
testing  in  a  non-operational  environment. 

■  This  document  is  oniy  a  guide  containing  recommended  security  settings,  it  is  not 
meant  to  repiace  weii-structured  poiicy  or  sound  judgment.  Furthermore  this  guide 
does  not  address  site-specific  configuration  issues.  Care  must  be  taken  when 
impiementing  this  guide  to  address  iocai  operationai  and  poiicy  concerns. 

■  The  security  changes  described  in  this  document  oniy  appiy  to  Microsoft  Windows 
2000  Server  systems  and  shouid  not  be  appiied  to  any  other  Windows  2000  versions 
or  operating  systems. 

■  SOFTWARE  iS  PROViDED  "AS  iS"  AND  ANY  EXPRESS  OR  iMPLiED 
WARRANTiES,  iNCLUDiNG,  BUT  NOT  LiMiTED  TO,  THE  iMPLiED  WARRANTiES 
OF  MERCHANTABiLiTY  AND  FiTNESS  FOR  A  PARTiCULAR  PURPOSE  ARE 
EXPRESSLY  DiSCLAiMED.  iN  NO  EVENT  SHALL  THE  CONTRiBUTORS  BE 
LiABLE  FOR  ANY  DiRECT,  iNDiRECT,  iNCiDENTAL,  SPECiAL,  EXEMPLARY,  OR 
CONSEOUENTiAL  DAMAGES  (iNCLUDiNG,  BUT  NOT  LiMiTED  TO, 
PROCUREMENT  OF  SUBSTiTUTE  GOODS  OR  SERViCES;  LOSS  OF  USE, 

DATA,  OR  PROFiTS;  OR  BUSiNESS  iNTERRUPTiON)  HOWEVER  CAUSED  AND 
ON  ANY  THEORY  OF  LiABiLiTY,  WHETHER  iN  CONTRACT,  STRiCT  LiABiLiTY, 
OR  TORT  (iNCLUDiNG  NEGLiGENCE  OR  OTHERWiSE)  ARiSiNG  iN  ANYWAY 
OUT  OF  THE  USE  OF  THiS  SOFTWARE,  EVEN  iF  ADViSED  OF  THE 
POSSiBiLiTY  OF  SUCH  DAMAGE. 

■  This  document  is  current  as  of  May  1 , 2001 .  See  Microsoft's  web  page 
http://www.microsoft.com/  for  the  iatest  changes  or  modifications  to  the  Windows 
2000  operating  system. 
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Introduction 

The  purpose  of  this  guide  is  to  provide  technicai  guidance  to  network  administrators  of 
smaii  to  medium  size  networks  in  the  configuration  and  integration  of  Microsoft  Windows 
2000  Server  Router  features.  This  guide  wiii  aiso  inform  the  reader  about  additionai 
security  features  that  are  avaiiabie  in  the  Microsoft  Windows  2000  Server  Router 
environment.  This  guide  is  not  intended  to  provide  individuai  security  settings  for  the 
network  devices.  Instead,  it  is  designed  to  provide  the  reader  an  idea  of  what 
functionaiity  is  recommended  in  the  integration  of  the  Windows  2000  router  within  a 
TCP/IP  network. 

The  Microsoft  Windows  2000  Router  Configuration  Guide  presents  a  generai  overview  of 
the  routing  features,  recommended  routing  protocoi,  and  fiitering  services.  This  overview 
is  designed  to  show  the  recommended  functionaiity  in  various  iocations  within  a  network. 
The  author  intends  for  this  guide  to  be  used  to  heip  the  pianning  phase  of  a  smaii  to 
medium  sized  network  with  typicaiiy  iess  than  50  LAN  segments.  This  guide  shouid  not 
be  used  on  its  own  as  an  aii-encompassing  biueprint  for  router  configuration. 

This  document  is  intended  for  Microsoft  Windows  2000  network  administrators  and 
network  designers.  However,  it  shouid  be  usefui  for  anyone  invoived  with  designing  a 
routabie  network  that  inciudes  Microsoft  Windows  2000  hosts  and/or  servers. 

Recentiy,  within  the  DoD  community,  increased  emphasis  has  been  piaced  on  the 
importance  of  mitigating  impacts  of  a  Distributed  Deniai  of  Service  (DDOS)  attack  and 
mitigating  the  possibiiity  of  DoD  networks  being  used  as  an  agent  of  an  attack  against 
itseif,  commerciai  organizations,  or  even  foreign  governments.  Focus  has  aiso  been 
piaced  on  the  deterrence  of  these  type  activities.  Using  the  Windows  2000  Server 
Routing  features  is  recommended  as  a  possibie  soiution  to  this  ongoing  network  concern 
for  smaii  organizations  aiready  within  a  DoD  domain  or  remote  iocations. 

It  is  important  to  have  a  basic  understanding  of  routing  before  beginning  to  configure  the 
Windows  2000  Router  features.  To  assist  in  this  understanding,  the  first  section  of  this 
guide  briefiy  covers  the  basics  of  IP  routing. 


NOTE:  This  guide  does  not  address  specific  security  issues 
for  the  Microsoft  Windows  2000  operating  system  or  any  of 
the  other  network  operating  systems  or  services  mentioned. 


Getting  the  Most  from  this  Guide 


The  foiiowing  list  contains  suggestions  to  successfully  secure  Windows  2000  Router 
Configuration  according  to  this  guide: 

yvC  WARNING:  This  iist  does  not  address  site-specific  issues 
and  every  setting  in  this  book  shouid  be  tested  on  a  non- 
operational  network. 

□  Read  the  guide  in  its  entirety.  Omitting  or  deleting  steps  can  potentially  lead  to 
an  unstable  system  and/or  network  that  will  require  reconfiguration  and 
reinstallation  of  software. 

□  Perform  pre-configuration  recommendations: 

□  Perform  a  complete  backup  of  your  system  before  implementing  any  of  the 
recommendations  in  this  guide 
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□  Follow  the  security  settings  that  are  appropriate  for  your  environment. 


Windows  2000  Routing  Focus 


This  guide  will  focus  on  how  to  configure  and  use  Windows  2000  Server  routing  features. 
If  your  organization  Is  small  to  medium  and  cannot  support  the  budget  for  a  dedicated 
hardware  router,  but  still  requires  network  routing  and  traffic  filtering  for  enhanced 
security,  Windows  2000  routing  may  be  a  viable  option.  A  medium  sized  network 
typically  has  less  than  50  network  segments.  The  Windows  2000  Server  routing  provides 
multi-protocol  LAN-to-LAN,  LAN-to-WAN,  virtual  private  network  (VPN)  and  network 
address  translation  (NAT)  routing  services.  Figure  1  displays  the  recommended 
configuration  environment,  which  represents  a  contained  domain  (reference  the  Microsoft 
Windows  2000  Network  Architecture  Guide).  The  configuration  consists  of  a  Windows 
2000  Server  computer  with  two  network  cards  (one  card  for  connection  to  each  separate 
local  network)  and  two  four-port  hubs.  The  recommended  configuration  does  not  extend 
across  any  networks  that  are  outside  the  control  of  the  organization. 


a 


Laptop  computer 


P 

Workstation 


Figure  1  -  Recommended  Windows  2000  Contained  Domain  Router  Environment 


About  the  Microsoft  Windows  2000  Router  Configuration  Guide 


This  document  consists  of  the  following  chapters: 

Chapter  1,  “Windows  2000  Methods  of  Routing,”  contains  Information  on  static  and 
dynamic  routing,  the  two  standard  methods  of  defining  routes  between  networks. 

Chapter  2,  “Windows  2000  Routing  Configuration,”  presents  a  brief  Introduction  to 
router  configuration,  step-by-step  directions  to  navigate  through  the  Routing  and  Remote 
Access  Configuration  Wizard,  and  details  on  router  Interfaces  for  Router  Information 
Protocol  (RIP)  Version  2. 

Chapter  3,  “Windows  2000  Routing  Security  Configuration,”  presents  details  on 
password  authentication,  peer  security,  IPSec,  packet  filtering  configuration,  and  audit  & 
logging. 
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Appendix  A,  “References,”  contains  a  list  of  resources  cited. 
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Chapter 
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Windows  2000  Methods  of  Routing 

Routing  is  the  term  used  to  describe  the  means  of  directing  data  from  one  network 
segment  to  another  or  for  communicating  with  hosts  outside  a  iocai  network  if  no  specific 
or  direct  route  is  known.  In  the  OSI  modei,  routing  takes  piace  in  the  Network  Layer 
(Layer  3)  foiiowing  the  Physicai  and  Dataiink  Layers.  At  the  Network  Layer,  the  router 
wiii  iook  at  the  destination  of  a  given  packet  to  determine  either  the  most  efficient  or 
possibiy  the  oniy  route  the  packet  can  be  deiivered.  At  this  point  there  is  a  possibiiity  that 
a  packet  couid  be  iost  or  dropped  if  the  destination  connection  is  unavaiiabie  or  if  an 
undetected  iink  faiiure  occurs  at  the  destination.  A  packet  couid  aiso  be  dropped  if  a 
device  refuses  the  packet.  Routing  is  beneficiai  to  a  network  because  it  aiiows  the 
network  the  abiiity  to  handie  increased  users  and  data  without  sacrificing  performance. 
More  importantiy,  routing  enabies  the  capabiiity  to  fiiter  certain  traffic  for  security. 

The  Windows  2000  Router  supports  severai  different  routabie  protocoi  suites  inciuding 
TCP/IP  and  IPX  Routing.  These  routing  options  give  Windows  2000  the  capabiiity  to 
integrate  into  an  existing  network.  In  general,  IP  routing  may  be  configured  with  static 
routes,  dynamic  routes,  or  a  mixture  of  both.  Dynamic  routes  require  support  for  routing 
protocols.  Two  of  the  most  common  IP  routing  protocols  are  Open  Shortest  Path  First 
(OSPF)  and  Routing  Information  Protocol  (RIP).  Of  these  two  IP  routing  protocols,  RIP  is 
more  common  and  much  easier  to  configure  than  OSPF.  This  guide  will  focus  more  on 
the  RIP  protocol. 

The  Windows  2000  router  can  be  configured  to  integrate  into  an  already  existing 
environment  consisting  of  Cisco  or  other  dedicated  routing  devices.  The  recommended 
environment  is  intended  to  be  representative  of  a  contained  DoD  infrastructure. 


Static  and  Dynamic  Routing 


Static  and  dynamic  routing  are  the  two  standard  methods  of  defining  routes  between 
networks.  Static  routing  manually  defines  the  network  routes.  Dynamic  routing  is  where 
the  network  routes  are  defined  automatically  and  any  changes  are  also  made  and 
updated  automatically.  Both  methods  have  advantages  and  disadvantages  and  can  be 
used  with  Windows  2000  routing. 

The  advantage  of  static  routing  is  that  for  remote  sites  or  a  subnet  with  only  one  link  to 
outside  connectivity,  all  non-local  traffic  can  be  directed  to  the  next  subnet  or  router.  This 
is  an  advantage  for  remote  office  networks  because  the  routing  is  simplified  by  routing  all 
non-local  traffic  over  the  single  line,  which  completely  eliminates  the  need  for  any  routing 
updates.  This  also  reduces  network  traffic  compared  to  dynamic  routing  where  updates 
continually  put  traffic  on  the  network.  The  main  disadvantage  of  static  routing  is  that  the 
router  will  not  respond  to  any  changes  in  the  network  topology.  For  example,  if  a  primary 
router  is  no  longer  available  dynamic  changes  will  not  occur.  Dynamic  routing  can,  if 
properly  configured,  automatically  forward  traffic  along  a  new  route  if  the  primary  link 
becomes  unavailable. 

In  dynamic  routing,  routing  protocols  such  as  RIP  (Routing  Information  Protocol)  or  OSPF 
(Open  Shortest  Path  First)  communicate  the  changes  and  updates  between  the  routers. 
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The  main  advantage  to  dynamic  routing  is  that  if  any  communication  iink  goes  down,  a 
new  route  is  automaticaiiy  defined  and  is  virtuaiiy  transparent  to  the  users. 

In  this  guide,  both  Static  and  Dynamic  routing  methods  are  discussed.  For  exampie,  in 
Figure  1,  one  couid  use  static  routing  on  the  backside  of  the  router  with  dynamic  routing 
on  the  side  of  the  router  adjacent  to  the  WAN  interface.  The  method  used  depends  on 
the  individuai  site’s  network  size  and  requirements. 
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Windows  2000  Router  Configuration 


Configuration  Introduction 


The  first  things  to  do  in  configuring  Windows  2000  Server  to  function  as  a  router  are 
enabiing  the  Routing  and  Remote  Access  Services  (RRAS)  and  adding  the  routing 
interfaces.  This  process  wiii  be  covered  in  detaii  in  the  next  section.  With  RRAS,  your 
Windows  2000  server  can  aiso  be  configured  to  function  as  a  remote  access  server,  a 
Virtuai  Private  Network  (VPN)  server,  a  gateway,  or  a  branch-office  router.  This  guide 
focuses  on  configuration  of  the  Windows  2000  Server  strictiy  as  a  gateway  router. 

Once  RRAS  has  been  enabied  and  the  interfaces  added,  the  next  step  wiii  be  to 
determine  which  routing  protocois  and  routing  features  of  the  Windows  2000  router  wiii 
be  required  by  your  network.  For  an  existing  network,  determine  which  protocois  and 
routing  features  you  wiii  need  to  enabie  to  ensure  compatibiiity.  The  features  that  are 
avaiiabie  at  this  step  are  depioying  static  IP  routing,  RIP  or  OSPF  protocol. 

The  last  step  is  to  install  and  configure  the  protocols.  Although  not  discussed  in  this 
guide,  you  can  also  configure  the  DHCP  Relay  Agent,  configure  IP  multicast  support, 
design  and  deploy  network  address  translation,  configure  IPX  packet  filter,  or  design  and 
deploy  demand-dial  routing.  An  additional  routing  benefit  that  will  be  discussed  later  is 
the  configuration  of  IP  packet  filters  that  enhances  security  by  filtering  certain  types  of 
traffic  or  blocking  specific  segment  destinations. 

Although  configuring  Windows  2000  routing  features  is  fairly  simple,  it  is  intended  for  use 
by  system  administrators  who  are  already  familiar  with  routing  protocols  and  services. 


NOTE:  While  any  Windows  2000  Server  can  act  as  a  router, 
Domain  Controllers  (DC)  should  not  be  used  as  routers.  In 
the  case  where  a  Windows  2000  server  is  used  as  the 
enclave  boundary  “external”  router,  the  server  should  not  be 
a  member  of  any  domain,  but  should  be  administered  as  a 
stand-alone  host. 


For  further  information  on  integrating  Windows  2000  Services  into  your  environment, 
please  refer  to  the  Microsoft  Windows  2000  Network  Architecture  Guide. 


Enable  Routing  and  Remote  Services 


NOTE:  While  this  document  briefly  introduces  Routing  and 
Remote  Access  Services  (RRAS)  setup,  the  reader  is  referred 
to  the  NSA  Guide  “Remote  Access  Services”  for  a  more  in- 
depth  presentation 
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The  first  time  Windows  2000  Server  is  started,  you  wiii  see  the  Windows  2000  Configure 
Your  Server  window.  To  begin  configuration  from  there,  ciick  Networking-»Routing, 
which  wiii  bring  up  the  Windows  2000  Routing  Configuration  diaiog  box  as  shown  beiow 

in  Figure  2. 


Figure  2  -  Windows  2000  Server  Router  Configuration  Diaiog  Box 


From  the  Routing  window,  start  the  Routing  and  Remote  Access  Configuration  wizard  at 
Step  1.  This  wiii  bring  you  to  the  Routing  and  Remote  Access  window  shown  beiow  in 

Figure  3. 

To  enabie  RRAS  if  you  are  aiready  running  Windows  2000  Server: 

■  Ciick  Start  Programs  Administrative  Tools  Routing  And  Remote  Access 

■  Right  ciick  your  server  name  in  the  ieft  pane  of  the  RRAS  consoie 

■  Ciick  on  the  Configure  and  Enable  Routing  and  Remote  Access.  This  wiii  aiso  bring  you 
to  the  Routing  and  Remote  Access  diaiog  box  as  shown  in  beiow  in  Figure  3. 
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Figure  3  -  Routing  and  Remote  Access  Configuration  Diaiog  Box 

Once  the  Routing  and  Remote  Access  Server  wizard  has  been  started,  there  are  severai 
configurations  to  choose  from  within  the  wizard.  Seiect  the  Network  Router  configuration 
as  shown  in  beiow  in  Figure  4.  This  wiii  enabie  your  network  to  communicate  with  other 
networks  as  a  router. 


Figure  4  -  Routing  and  Remote  Access  Server  Setup 

Continue  foiiowing  the  wizard.  When  you  have  compieted  the  routing  and  remote  access 
server  setup  wizard,  the  server  is  now  set  up  as  a  router.  Once  you  have  compieted  the 
wizard,  the  RRAS  window  shouid  iook  simiiar  to  Figure  5. 
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Figure  5  -  Routing  and  Remote  Access 

At  this  point,  ensure  that  aii  the  routing  interfaces  have  addresses.  The  next  step  is  to 
instaii  and  set  up  routing  protocois  on  each  interface,  which  wiii  be  covered  in  the  next 
section. 


Configuration  of  Router  Interfaces  for  RIP  Version  2 


Since  the  Windows  2000  Router  is  best  suited  to  route  smaii  to  medium  networks,  the 
routing  protocoi  recommended  in  this  guide  is  RiP.  This  recommendation  is  made 
because  RiP  is  aiso  better  suited  to  support  smaii  to  medium  sized  networks  with  iess 
compiexity  than  the  OSPF  protocoi. 

RiP  is  a  dynamic  vector-distance  routing  protocoi,  meaning  that  routing  decisions  are 
automaticaiiy  caicuiated  based  on  the  number  of  intermediate  hops  to  the  finai 
destination.  By  defauit,  the  maximum  number  of  hops  for  RiP  is  1 5,  so  a  hop  vaiue  of  1 6 
wouid  indicate  to  RiP  that  an  address  is  unreachabie.  A  hop  vaiue  of  1  indicates  a 
directiy  connected  network.  Aiso,  the  standard  for  RiP  address  advertisement  is  every 
30  seconds,  with  an  expiration  time  of  180  seconds.  For  exampie,  if  a  router  does  not 
receive  an  update  from  another  router  within  180  seconds,  it  marks  the  route  from  which 
no  update  was  received  as  expired  or  unusabie.  After  the  standard  defauit  time  of  240 
seconds,  if  the  router  stiii  has  no  updates,  the  expired  route  is  then  compieteiy  removed 
from  the  routing  tabie.  it  is  important  to  make  sure  aii  routers  in  the  RiP  environment 
have  identicai  times  for  each  of  the  three  variabies,  otherwise  a  ioss  in  connectivity  or 
iooping  can  occur. 

Windows  2000  supports  the  two  distinct  versions  of  RiP  aithough  they  are  not  compatibie 
with  each  other.  Version  1  of  RiP  provides  basic  routing  updates  by  broadcasting 
updates  at  specific  intervai,  whereas  Version  2  can  either  broadcast  or  muiticast.  RiP 
Version  2  is  recommended  for  a  more  efficient  configuration  and  has  been  used  as  an 
exampie  in  this  guide. 

NOTE:  Implementation  of  the  OSPF  protocol  Is  also 
supported  by  Windows  2000,  although  this  guide  does  not 
address  specific  configuration  issues.  If  your  network  is 
currently  running  OSPF,  Windows  2000  Router  can  be 
configured  to  integrate  into  this  environment.  Before 
configuring  your  router  with  OSPF,  solid  planning  must  take 
place,  which  should  include  careful  consideration  of  each 
level  of  OSPF  design.  Design  considerations  are: 

Autonomous  System  Design,  Area  Design,  and  Network 
design.  Since  OSPF  can  be  quite  complex,  it  is  highly 
recommended  to  carefully  review  the  OSPF  help  menus  prior 
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to  implementing  the  protocol.  Refer  to  the  NSA  “Router 
Security  Guide”  for  more  details  on  OSPF  Configuration. 

To  configure  the  Windows  2000  router  interfaces  for  RIP  Version  2,  perform  the  foiiowing 
steps: 

□  From  the  Routing  and  Remote  Access  Window,  in  the  consoie  tree  ciick  General 

□  Right  ciick  General 

□  Ciick  New  Routing  Protocol 

□  In  the  Select  Routing  Protocol  dialog  box,  click  RIP  Version  2  for  Internet  Protocol. 
See  Figure  6. 

□  Click  OK. 


Figure  6  -  Seiect  Routing  Protocoi  Diaiog  Box 

Once  the  Protocol  has  been  added  to  Routing  and  Remote  Access: 
□  Right-click  RIP 
Select  New  Interface 


□ 

□ 


Click  the  interface,  which  will  be  running  RIP.  You  will  see  the  Interface  for  RIP 
dialog  box  as  shown  in  Figure  7. 
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Figure  7  -  Interface  Protocol  Dialog  Box 

□  Select  the  interface  that  will  be  running  the  RIP  v2  protocol. 

□  After  RIP  is  added  to  the  interface,  right  click  on  the  interface 

□  Select  Properties.  This  will  display  the  RIP  Properties  dialog  box  as  shown  in 

Figure  8. 

□  At  the  General  tab  select  Periodic  update  mode  as  the  Operation  mode  for  the 
interface.  This  option  allows  the  networks  within  the  RIP  environment  to  keep  in 
sync  as  the  routing  information  is  being  continuously  exchanged. 
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Figure  8  -  RIP  Interface  Properties,  General  Tab 

Although  password  authentication  has  not  been  selected,  this  option  is  available  to  be  set 
at  this  window.  Use  password  authentication  to  prevent  a  denial  of  service  attack  by  an 
unauthorized  router.  When  the  authentication  and  password  is  enabled,  when  an  update 
is  received  by  the  router  and  contains  an  incorrect  or  no  password,  the  router  will  discard 
the  update.  Since  Windows  2000  router  does  not  have  the  option  of  password 
encryption,  it  is  possible  for  a  network  sniffer  to  easily  capture  RIP  packets  and  read  the 
password.  Therefore,  use  of  RIP  password  authentication  for  route  Integrity 
protection  Is  not  recommended  at  this  time.  If  route  integrity  assurance  is  an 
important  concern  for  the  network,  then  employ  static  routes  only. 

□  Next,  click  on  the  Advanced  tab  as  shown  in  Figure  9. 


Figure  9  -  RIP  Interface  Properties,  Advanced  Tab 

As  mentioned  earlier,  the  values  shown  in  Figure  9  are  the  default  standard  RIP  settings. 
The  Windows  2000  RIP  feature  has  several  configuration  options  that  can  be 
implemented  to  counteract  common  router  convergence  problems.  Two  main  problems 
encountered  with  RIP  updates  are  the  possibility  of  routing  traffic  through  an  inefficient 
path  and  the  possibility  of  a  routing  update  taking  excessive  time  to  converge.  Both 
cases  will  cause  the  routing  domain  to  become  unstable  through  link  congestion  and 
possible  loss  of  packets. 

Split  horizon  with  poison-reverse  processing  has  been  enabled  to  eliminate  looping  and 
prevent  convergence  problems.  Enabling  triggered  updates,  clean-up  updates  and 
disabling  subnet  summarization  also  reduce  problems  in  converging  while  also 
decreasing  network  traffic. 

NOTE:  After  the  Windows  2000  Router  settings  have  been 
configured,  it  is  important  to  make  sure  that  the  neighboring 
routers  are  configured  with  the  same  settings. 
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Summary 


In  summary,  the  following  are  recommended  when  configuring  the  Windows  2000  Server 
as  a  router: 

□  Domain  controllers  should  not  be  used  as  routers. 

□  In  the  case  where  a  Windows  2000  server  is  used  as  the  enclave  boundary 
“external”  router,  the  server  should  not  be  a  member  of  any  domain,  but  should 
be  administered  as  a  stand-alone  host. 

□  Windows  2000  Routing  is  best  suited  to  route  small  to  medium  networks.  Given 
this,  the  recommended  routing  protocol  is  the  Routing  Information  Protocol  (RIP). 

□  The  use  of  RIP  password  authentication  is  not  recommended  as  the  passwords 
are  passed  in  the  clear. 

□  To  help  eliminate  looping  and  convergence  problems,  enable  split  horizon  with 
poison-reverse  processing,  triggered  updates,  clean-up  updates,  and  disable 
subnet  summarization. 
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Windows  2000  Router  Security  Configuration 

The  following  guidelines  should  be  considered  in  order  to  enhance  the  security  of  the  RIP 
protocol  and  decrease  possible  denial  of  service  attacks  to  the  router. 


Password  Authentication 


As  mentioned  in  the  previous  section,  password  authentication  is  an  available  option  as 
shown  in  Figure  8.  However,  since  the  actual  password  cannot  be  encrypted,  any 
network  sniffer  can  easily  capture  the  RIP  packets  and  read  the  password.  Again,  use  of 
this  option  is  not  recommended  at  this  time. 


Peer  Security 


The  Windows  2000  router  also  has  a  peer  security  feature,  which  can  be  enabled  to 
designate  authorized  route  IP  addresses.  The  addition  of  peer  filters  configures  peer 
security.  To  add  peer  filters: 

□  In  Routing  and  Remote  Access,  in  the  console  tree  right  click  RIP 

□  Click  Properties 

□  On  the  Security  tab,  as  shown  in  Figure  10,  add  the  IP  address  of  the  routers  for 
which  update  announcements  will  be  accepted.  If  the  broadcast  source  is  an 
unauthorized  router,  the  update  is  discarded. 


Figure  10  -  RIP  Peer  Security  Dialog  Box 
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IPSec 


IPSec  was  developed  by  the  Internet  Engineering  Task  Force  (IETF)  to  provide  security 
for  transmission  of  sensitive  information  over  unprotected  networks.  IPSec  uses 
encryption  to  protect  the  information  packets  and  authenticates  the  IP  packets  at  the 
network  layer. 

The  three  main  technologies  IPSec  uses  are  Authentication  Header  (AH)  protocol, 
Encapsulating  Security  Payload  (ESP)  protocol,  and  Internet  Key  Exchange  (IKE).  IPSec 
used  IKE  to  generate  the  encryption  and  authentication  keys,  which  are  used  to  handle 
the  negotiation  of  the  protocols  and  algorithms. 

IKE  uses  encryption  to  protect  the  actual  security  negotiation.  IKE  must  be  able  to  use  at 
least  DES  encryption.  Therefore,  Windows  2000  computers  must  be  able  to  perform 
DES  in  CAPI  (Cryptographic  API)  in  order  to  secure  traffic  using  any  type  of  IPSec  packet 
format. 

Unfortunately,  Microsoft  has  confirmed  that  when  using  the  Windows  2000  router  with 
RIP  version  2  or  OSPF  routing  protocols,  IPSec  or  IP-to-IP  tunnels  cannot  be  used.  This 
is  because  both  RIP  and  OSPF  routing  protocols  require  a  numbered  interface  to  function 
and  neither  IPSec  nor  IP-to-IP  tunnels  provide  a  numbered  interface.  For  more 
information,  see  Microsoft  Knowledge  Base  Article  Q227523  at 
http://support.microsoft.eom/support/kb/articles/Q227/5/23.ASP.  This  is  also  why  the 
recommended  configuration  is  with  a  contained  domain  environment. 


Packet  Filtering 


One  of  the  main  purposes  of  using  the  Windows  2000  routing  features  is  to  control 
access  to  network  resources  at  minimal  costs.  Controlling  access  to  the  network 
resources  can  be  done  by  packet  filtering.When  packet  filters  are  enabled  on  the  router 
interfaces,  detailed  rules  control  what  traffic  will  be  accepted  or  forwarded  on  that 
interface.  Packet  filtering  can  mitigate  the  possibility  of  networks  being  used  as  an  agent 
of  during  a  DDOS  attack.  This  section  will  discuss  the  configuration  of  packet  filtering. 

Before  discussing  how  to  configure  the  Windows  2000  router  to  filter  packets,  it  is 
important  to  understand  packet  filtering.  When  a  packet  arrives  at  the  router  interface, 
the  router  examines  the  IP  header.  The  IP  Packet  header  contains  the  following 
information,  which  the  router  examines: 

■  Source  IP  address 

■  Destination  IP  address 

■  IP  protocol  type  (i.e.,  TCP,  UDP  or  ICMP) 

The  source  IP  address  is  the  address  of  the  machine  sending  the  message,  the 
destination  IP  address  is  the  intended  recipient  machine  address,  and  the  IP  protocol 
type  is  a  higher-level  protocol  that  basically  tells  IP  what  the  next  level  of  protocol  is  that 
will  receive  the  data.  The  IP  protocol  types  will  contain  a  header,  which  the  router 
examines.  These  headers  for  TCP,  UDP  or  ICMP  will  include  the  following  information: 

■  Source  TCP  or  UDP  Port  number 

■  Destination  TCP  or  UDP  Port  number 
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■  ICMP  Type  number 

■  ICMP  Code  number 

The  Source  TCP  or  UDP  port  number  is  the  port  number  from  the  sending  machine.  For 
exampie,  if  an  HTTP  web  server  machine  sends  the  message,  then  the  source  port 
number  wiii  be  port  80,  because  the  message  was  most  iikeiy  sent  out  of  port  80. 

The  destination  TCP  or  UDP  port  number  is  the  port  to  which  the  data  is  being  sent.  If  a 
message  is  being  sent  to  an  SMTP  server,  then  the  destination  port  number  wiii  most 
iikeiy  be  port  25. 

The  ICMP  type  numbers  are  used  to  identify  the  different  types  of  ICMP  messages,  for 
example.  Echo  Requests,  Echo  Reply,  or  Destination  Unreachable.  The  ICMP 
messages  can  provide  vital  information  about  why  a  message  failed  to  reach  its 
destination  because  these  messages  also  include  type  codes. 

Lastly,  ICMP  Code  numbers  are  codes  given  to  the  ICMP  Type  messages  just 
mentioned.  For  example,  an  ICMP  Type  3  message  of  “  Destination  Unreachable”  can 
be  associated  with  the  different  code  messages  such  as: 

■  Destination  Unreachable  -  Network  unreachable 

■  Destination  Unreachable  -  Host  unreachable 

■  Destination  Unreachable  -  Protocol  unreachable 

■  Destination  Unreachable  -  Port  unreachable 

There  are  different  codes  for  each  of  the  above  Type  3  messages.  All  of  this  header 
information  is  important  to  understand  when  filtering  packets.  The  next  section  discusses 
how  to  configure  the  router  filters. 


Configuring  Windows  2000  Router  Packet  Fiitering 


Packet  filtering  can  only  be  configured  after  RRAS  has  been  enabled  and  the  interfaces 
have  been  added  to  the  IP  Routing  General  subnode. 

To  begin  the  packet  filtering  option  on  the  Windows  2000  Router  at  the  RRAS  window: 

□  Click  IP  Routing  under  your  router  name 

□  Double-click  General  under  IP  Routing 

□  Double-click  the  interface  to  which  you  want  to  add  packet  filters.  This  will  bring 
you  to  the  dialog  box  shown  in  Figure  11. 

Packet  filtering  for  Windows  2000  is  defined  by  exception.  For  example,  to  define  a  filter 
you  must  decide  if  you  want  to  allow  all  packets  through  except  for  certain  defined 
packets,  or  filter  all  packets  and  accept  only  certain  ones. 
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Figure  11  -  Local  Interface  Configuration 

Here  you  will  need  to  decide  if  you  want  to  configure  Input  Filters  or  Output  Filters.  Input 
Filters  are  for  filtering  packets  arriving  or  coming  in  to  the  interface.  Output  Filters  are 
filters  that  apply  to  packets  that  are  being  sent  out  of  the  interface. 

If  an  Input  Filter  is  defined  to  drop  packets  heading  for  TCP  port  80,  the  filter  will  drop  all 
incoming  packets  that  have  destination  TCP  port  number  set  to  80,  regardless  of  the 
destination  host  IP  address.  This  applies  to  packets  that  have  a  source  other  than  the 
router  itself  and  must  arrive  at  the  interface  that  has  the  Input  Filter  defined. 

If  an  Output  Filter  is  defined  for  port  21  (FTP)  to  drop  any  such  requests  and  a  client  on 
the  internal  network  sends  a  packet  to  an  Internet  host  with  the  destination  port  number 
of  21 ,  the  router  interface  will  not  send  the  packet  out. 

Select  the  Enable  fragmentation  checking  box  to  specify  whether  the  router  drops  all 
fragmented  IP  packets  it  receives  on  this  interface.  This  option  only  applies  to  incoming 
traffic.  If  you  want  to  prevent  the  router  from  forwarding  fragmented  IP  packets  on  any 
interface,  select  this  box  on  all  interfaces  on  the  router. 

Refer  to  the  NSA  Router  Security  Configuration  Guide,  section  3.2.2  Packet  Filters  for 
TCP/IP  for  detailed  recommendations  on  applying  packet  filters.  To  ensure  the  optimum 
security,  it  is  recommended  to  follow  the  security  principle  of  “All  communications  are 
denied  unless  expressly  permitted”.  This  principle  is  also  recommended  in  the  NSA 

Router  Security  Configuration  Guide,  section  3.2.2. 

At  this  point,  it  also  must  be  determined  which  services  and  protocols  must  cross  the 
router.  Once  this  determination  is  made,  create  a  set  of  filtering  rules  that  permit  the 
traffic  to  cross  the  router,  while  prohibiting  all  other  traffic.  To  accomplish  this: 

□  In  the  Input  Filters  Dialog  box,  click  Add 
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□  The  “Drop  all  packets  except  those  that  meet  the  criteria  below”  option  should  be 
selected  when  the  specific  rules  are  added  at  the  Add  IP  Filter  Dialog  box  as 
shown  in  Figure  13. 

In  cases  where  only  certain  hosts  or  networks  need  access  to  particular  services,  add  a 
filter  rule  that  permits  that  service  but  only  for  the  specific  host  address  or  range  of 
addresses.  For  example,  the  network  firewall  host  might  be  the  only  address  authorized 
to  initiate  web  connections  (TCP  port  80)  through  the  router.  Each  network  requirement 
may  be  different. 

In  some  cases,  the  above-mentioned  filtering  rules  may  not  be  practical.  If  this  is  the 
case,  then  the  recommended  filtering  is  to  prohibit  services  that  are  commonly  not 
needed  and  if  used  could  potentially  open  your  network  to  security  compromise.  Refer 
to  the  two  tables  in  the  NSA  Router  Security  Configuration  Guide,  section  3.2.2  for 
detailed  instructions  on  which  services  to  restrict.  Also  please  refer  to  the  NSA  Router 
Security  Configuration  Guide,  section  4.3.3.  “Filtering  Traffic  through  the  Router”, 
which  covers  IP  Address  Spoof  Protection  for  Inbound  and  Outbound  traffic.  The  router 
should  be  configured  to  prohibit  traffic  on  the  network  that  does  not  have  an  authorized  or 
valid  IP  address.  An  example  of  this  type  of  filtering  is  shown  below. 

In  this  example  an  Input  Filter  is  defined  by  clicking  Input  Filter.  See  Figure  12. 


Figure  12  -  input  Fiiters  Diaiog  Box 

At  the  Input  Filters  dialog,  you  must  first  click  Add  before  a  rule  can  be  defined.  See 

Figure  13. 
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Figure  13  -  Add  IP  Filter  Dialog  Box 

In  this  example,  which  illustrates  only  one  portion  of  an  effective  router  security  policy,  all 
packets  are  allowed  through  the  router  except  those  coming  in  with  a  source  address 
from  the  private  network  ID  192.168.0.0/16.  This  is  also  a  good  filter  to  define  for  any 
network  because  many  network  spoofers  often  use  private  network  addresses  in  the 
source  port  of  their  messages. 

With  the  Windows  2000  router,  it  is  best  to  use  general  filters  that  cover  a  group  of 
computers  on  a  network  as  shown  above.  For  detailed  router  security  filters,  please  refer 
to  the  NSA  Router  Security  Configuration  Guide  section  4.3.3.  “Filtering  Traffic 
through  the  Router”,  which  covers  IP  Address  Spoof  Protection  for  Inbound  and 
Outbound  traffic.  Exploits  Protection  which  includes  TCP  SYN  Attack,  Land  Attack,  Smurf 
Attack,  ICMP  Message  Types  &  Traceroute,  and  Distributed  Denial  of  Service  Attacks. 
These  instructions  can  also  be  applied  to  the  Windows  2000  Router  Filters. 


Audits  and  Logging 


Please  note  that  when  filters  are  configured  on  the  router  interface,  the  capability  to  view 
the  actual  filter  activity  is  not  available  although  the  router  will  successfully  filter  or  drop 
designated  packets.  For  example,  our  filtering  example  allowed  all  packets  across  the 
local  interface  except  source  addresses  from  the  network  192.168.20.0/16.  In  testing 
performed  by  the  author,  the  filter  was  successful  at  dropping  the  appropriate  packets  as 
viewed  using  Network  Monitor,  but  there  was  no  record  of  actual  packets  being  dropped 
recorded  in  any  of  the  Windows  2000  logfiles.  This  is  a  significant  limitation.  If  a  network 
is  being  attacked,  it  is  important  for  the  network  administrator  to  have  the  capability  to 
view  the  actual  attempted  attacks. 
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Summary 


In  summary,  the  following  are  recommended  for  enhanced  security  of  the  Windows  2000 
Server  as  a  router  using  the  RIP  protocol: 

□  Configuration  of  Peer  Security  is  recommended  to  enable  the  designation  of 
authorized  routed  IP  addresses. 

□  IPSec  and  IP-to-IP  tunnels  are  designed  to  enhance  secure  transmission; 
however,  they  cannot  be  used  with  PIP  viersion2  or  OPSP  routing  protocols. 

□  Packet  filters  should  also  be  enabled  on  the  router  in  order  to  control  what  traffic 
will  be  accepted  and  forwarded  on  the  router  interfaces.  It  is  best  to  specify 
general  filters  that  cover  a  group  of  computers  on  a  network  rather  than  specify 
each  individual  host.  To  ensure  the  optimum  security,  it  is  recommended  to 
follow  the  security  principle  of  “All  communications  are  denied  unless  expressly 
permitted.” 

□  In  order  to  help  preclude  IP  address  spoofing,  the  router  should  be  configured  to 
prohibit  network  traffic  that  does  not  have  an  authorized  or  valid  IP  address. 


Conclusion 


The  primary  focus  of  this  guide  is  configuring  the  Windows  2000  Server  Router  feature  of 
the  Routing  and  Remote  Access  application.  The  Windows  2000  Router  platform  has 
numerous  other  capabilities  that  have  not  been  discussed  in  this  configuration  guide. 

The  disadvantage  of  the  Windows  2000  routing  is  the  limited  security  features.  If  using 
IPSec,  Windows  2000  router  does  not  support  the  ability  to  use  IPSec  with  the  RIP  and 
OSPF  routing  protocols.  Therefore,  the  Windows  2000  router  does  not  have  the  ability  to 
route  sensitive  information  over  WANs  or  the  Internet  via  protected  tunneling.  Also, 
although  the  capability  exists  to  filter  specified  packets,  ports  and  IP  addresses,  the 
router  does  not  provide  the  capability  to  record  and  view  the  actual  denied  filter  activity. 
Again,  if  a  network  is  under  attack,  even  though  the  router  successfully  filters,  it’s 
important  for  system  administrators  to  have  an  awareness  that  these  attempted  attacks 
are  occurring.  Lastly,  the  Windows  2000  router  does  not  provide  the  capability  to  encrypt 
the  router  authentication  password.  This  disadvantage  allows  any  sniffer  the  ability  to 
collect  the  packet,  read  the  password  in  clear  text  and  spoof  an  authorized  router. 

Overall,  Windows  2000  Server  Routing  proves  to  be  fairly  simple  to  configure  and  cost 
effective.  It  supports  both  RIP  and  OSPF  routing  protocols,  allowing  the  router  the 
flexibility  to  be  integrated  into  a  variety  of  routing  architectures.  The  Windows  2000 
Router  proves  to  be  an  acceptable  mid  range  routing  solution  for  small  internal  network 
environments.  It  is  not,  however,  recommend  in  environments  requiring  transmission  of 
sensitive  information. 


UNCLASSIFIED 


21 


Chapter  3  - 
Windows  2000  Router 
Security  Configuration 


UNCLASSIFIED 


This  Page  Intentionally  Left  Blank 


22 


UNCLASSIFIED 


UNCLASSIFIED 


Apperabc 

A 


Black,  Ulysses,  IP  Routing  Protocols,  Prentice  Hall,  2000. 

NSA  System  and  Network  Attack  Center,  Router  Security  Configuration  Guide,  May  2000. 

NSA  Systems  and  Network  Attack  Center,  Microsoft  Windows  2000  Network  Architecture  Guide, 
October  2000. 

Windows  2000  Magazine  Website:  http://www.wlnntmaq.com 


UNCLASSIFIED 


23 


Appendix  A  - 
References 


